AWS Security Group created with rules open to the world

IBM / cloud-pak-deployer

Configuration-based installation of OpenShift and Cloud Pak for Data/Integration/Watson AIOps on various private and public cloud infrastructure providers. Deployment attempts to achieve the end-state defined in the configuration. If something fails along the way, you only need to restart the process to continue the deployment.

https://ibm.github.io/cloud-pak-deployer/

Apache License 2.0

130 stars 65 forks source link

AWS Security Group created with rules open to the world #643

Open techietav opened 4 months ago

techietav commented 4 months ago

When deploying CP4D onto AWS and creating the OpenShift cluster a Security Group is created with 'rules open to the world' This violates the AWS client security enforcement policy and is immediately removed, as well as triggering an email to the account owner informing them of the incident.

Security Groups MUST be created with least privileged principles so only the require ports and hosts are specified.

This requires an immediate fix.

fketelaars commented 4 months ago

For OpenShift deployments, Cloud Pak Deployer follows the standard steps for IPI installations in the OpenShift documentation.

If the customer has specific guidelines on how security groups must be created, they can create the AWS resources and deploy OpenShift using their own standards. Once created, Cloud Pak Deployer can be used to deploy the Cloud Pak software.